Sunday, June 27, 2010

Stay Safe Online: Strong and easy passwords

Blog moved. I have a new home now at Do update your bookmarks :)
Passwords are the most critical part of security, it keeps everything from your emails,social networks  to your financial transactions, safe. No matter how secure the systems are, or how much money  was spend to buy the latest security software, you are totally vulnerable if the chosen password is your second name or date of birth.

Most difficult question is, how to make easy-yet strong passwords????.I have came across an interesting article in this topic, you can read it here.

My favorite method is to use a long phrase or a sentence  as password.For example "youwillneverhackmyaccount" will be a very strong password, very easy to remember also.

If you want to have separate passwords for different websites you can customize the phrase to suit it.For example "ihaveastrongpasswordfororkut" can be used for orkut and for facebook change the name to FB :)

To create passwords with numbers and alphabets, form a statement containing numbers.Example "mydobis28june2010".There is very little chance that, anyone will be able to guess this password even if he/she knows your DOB.

For even more security, you can include special characters also in the password. The key to remembering them is to apply the fact that, those characters  can be typed by pressing shift and pressing the corresponding number.You can remember "mycarsnumberis12#$" as 'mycarsnumberis12shift34'.

Hope this info help you to create a strong password next time you decide to have one.

Wednesday, June 16, 2010

Stay Safe on Gmail : Recovering from a password hack

Blog moved. I have a new home now at Do update your bookmarks :)
Ever had the nightmare of someone hacking into your mail account?Losing all the contacts you had in a moment....unable to access important mails, or even worse someone is taking advantage financially?Well these are common scenarios theses days, with the increased number of malware infections,increased online presence and reused passwords.If you depending gmail as your main email address you may want follow some precautions to ensure that you can recover your account without much loss and in time, in the event of an incident.

Have a separate secondary email address ready: The first step in recovering your gmail(or google account in general ) password is through the secondary email id.  If the hacker haven't changed your secondary email address,then you can reset the password, hence regain access. If are not sure about your secondary email or haven't set it yet, go to google account settings.There select change password recovery option. Then set your secondary email, security question and update your phone number also. Its better to have a dedicated email account separately to be used as the secondary email for various services you use.Make a point to set a different password to this account, and also do not enable email forwarding.For added security,do not disclose this address to anyone or use it for any other purpose.

Try your luck with security question: If you lost access to your secondary email address or couldn't remember the id itself now, you can try password recovery using the security question you have set.But if the the hacker is smart, he will immediately change these details once he have access.So the only option left with you is to use the password recovery form and prove that you are the rightful owner of the account by entering few details.

Proving your ownership: If all the recovery methods specified above is failed, then the only option left is to prove to the google  that you are the rightful owner of that account.The recovery form can be found here.So take a sheet of paper and write down the following details( you can also use your mobile for easier access).Even if you can't find the exact details,get the closest data.

 Account Creation date:Go to the oldest emails in your Inbox.There will be a welcome email with the subject "Gmail is different. Here's what you need to know" from the Gmail Team upon creation of your account.If you have deleted that email,take the date from the first email you have received.

Orkut and blog creation date:Most likely you will be having these two enabled(if you don't have it,create it and note down the dates).For getting the approx creation date of orkut account, take the date of the first scrap you received.For blogger, go to your profile and note down "On blogger Since" date.

Also note down the account creation date for any two of the google services like analytics,adsense etc.[If you don't have any of these services activated, now is the time :) ]. For Analytics, look at the first date when it started collecting stats for your website(s). For AdSense, you may take the help of your AdSense account manager.(I don't know how to get the creation date for services other than these,if you have any idea kindly let me know, I uses these only.)

Noting down some more details like, most emailed contacts,custom labels created, email address of the person invited you to gmail may also help you in some cases.

Once you have recovered your account, reset your password,secondary email,phone and security question immediately. Also do check the "Forwarding and POP/IMAP" tab in the settings page for any forwarding rules added.The hacker could have added a forwarding rule so that he will be able to read all your mails, even if he lost control of the account.You may also check the activity history by clicking the "Details" link at the bottom of the page.It will give you the IP address of the hacker, by which you can pinpoint(may not be possible always) the attacker.

But always prevention is better than cure, do take precautions while browsing on a public system,un-secure wireless connection.Be cautious about the links/files you get in mails etc.You can create a backup copy of your inbox locally using  an email client like Evolution/Outlook etc for better security.

[Update: Friend of mine suggested another idea for archiving, create a separate gmail account and add an email forward to this account from your normal mail.Also add send email as u r original email in this secondary email.So even if your email is compromised you will have all your mails and still will be able to send emails.  ]

Thursday, June 10, 2010

Tabnabbing : All your tabs belongs to me!!

Blog moved. I have a new home now at Do update your bookmarks :)

Ever heard of the word "tabnabbing"??? well I haven't until a few days back. Guess what, a new word to the  community and new method of attack to the bad guys!!. Its a new method of attack, that can be used for phishing, unveiled by Aza Raski, Creative Lead of Firefox, exploiting the weakest element in the chain Humans!!.

Well since the introduction of tabbed browsing, most of us surf the web with multiple tabs open, since its very convenient, and keep switching between them.You read news,chat with friends,update your FB status, all in different tabs. Here comes the problem, since all the tabs are open by us, we tends to trust them!!. Its not possible that the webpage in one tab might have changed while we are browsing in another right??.

Wrong!! as demonstrated by Aza, its possible for an attacker to detect that your viewing another tab and change the content of a particular tab to a phishing page.It happens relatively fast so that users won't normally see the page getting reloaded.

How Exactly the Hack Happens?
1. Someone is sending you a link to a web page say an article about present job market to your gmail id.
2.You open that page in a tab, which seems like a legitimate article.
3.After giving it a quick read, you navigate to another tab to check the cricket score.
4.Attacker's page detect that you have navigated away and haven't interacted to it for a while.It replaces the favicon icon with that of gmail's,the title with “Gmail: Email from Google”,  and change the page contents to look like the login page.
5.As the user scans through the open tabs, he/she will see the familiar looking Gmail favicon and title, without much doubt he/she will be ready to enter the username and password in the page thinking that it might have been automatically signed out, which is a normal situation.
6.The credentials goes to the attacker and you will be redirected back to gmail's page.

Well the attacker got what we wanted,and you have no clue!!.If the same password/username combination is re-used in a bank OR if the attack is performed with a bank's login page then the loss of the victim will be much more.

Still not convinced!!!??? See the video and you will understand.

[The video is taken from aza's original post which you can see here]

So How Do We Fix It?
The attack is based on human psychology,rather than any vulnerability in the software, which makes it difficult to prevent.Firefox is coming up with Firefox Account Manager which will protect users from these kind of attacks and makes logging into websites easier, at least they claim it that way.Another method is to use NoScript to block all the un-necessary scripts/flash/java in a webpage, which will block not only this attack but a bunch of others too.